EXPERT ADVICE: Password,chronicle of a death foretold

Authentication by password is dead. This has not yet been accepted by the majority of Internet sites, let alone users, but this is the case. Just as telnet is dead and buried, having been replaced by ssh – today, it is difficult to even remember that telnet was once standard - authentication by password is also dead and we’re entering into an era where the widespread practice of two factor authentication is inevitable.

There are several reasons for this. First, of course, there is the user. With more and more users and less and less awareness of computer security principals (resulting from the democratization and widespread Internet use in societies), this creates an ever increasing attack vector. The rise in the number of subscribers to popular web platforms equally increases risks. For the most part, people inherently use the same password for all websites. Today, by default the universally accepted login is the subscriber’s email address. The centralization of email platforms further aggravates the problem: finding a valid login for an online platform through simple trial and error practically makes for an equation without any unknown variables.

The principal of the "password" is often perceived as unbearable and overrated. It is difficult to convince users non-versed in computer security that this is a critical element in protecting personal data. Therefore it is easy to put the blame on the user who is incapable of understanding what is at stake by not choosing a strong password. Can billions of people be wrong or did computer security experts get it wrong from the start? Take our bank cards for example, they’re protected by a simple 4 digit PIN, so how can we convince users to protect their selfies on Facebook, with a strong password of 10 characters that is obligated to include capital, lower case and special characters? People hate passwords and they have reason.

If we have to be convinced, it is easy to see that even a strong password, as often mandated by company IT charters, in reality resolves very few security problems. What about a password - with CISSO trusted entropy - simply noted on a post-it? And what about a strong password generated by the IS, sent in the clear via email and stored on an employee’s PC? What do you make of a strong password carefully spelled out over the phone, by the user, at the simple request of somebody posing as an IT department staff member? Even leaving the corporate world and returning to the Internet in general, how can one be sure that the data bases with which users entrust their passwords are secure? How many sites simply send forgotten passwords by email, indicating that the password was stored in the clear? How many still use an unsalted MD5 hash algorithm that is easy to reverse engineer with the help of algorithms taking advantage of a “time of calculation/memory space” vulnerability (rainbow table type hack), today, thanks to the incredibly low price of storage, this is within anyone’s reach?

"As with bank cards and their PIN codes,the only real solution is the wide adoption of two-factor authentication."

It is time to accept that the password is simply dead and that as with bank cards and their PIN codes, the only real solution is the wide adoption of two-factor authentication. Remember, the three key factors can be summarized as "what I know" (password), "what I possess" (a key or other object) and finally "what I am" (biometric: fingerprint, iris recognition, etc.). We can recall the "RSA SecureID" type of tokens that some large companies had put in place to protect their employees' access to their secure networks. This authentication principal is not new, but only until recently has it become affordable and therefore available for widespread use. Today, about half the population has a smartphone, making the cost of this technology practically nothing: a simple application allows you to have the same security as a physical token, via the use of a public algorithm for deriving a TOTP (Time-based one Time Password).This is a password for single use, valid for one minute only, created from a constant (a common secret shared between client and server, with high-entropy and does not need be known to the end user), and a variable: the time. This type of application exists for all smartphones. Applications are free and generic: they can store as many shared secrets as necessary for other security parameters to which the user needs access. The implementation of these systems, on the server side is quite easy and the algorithms are public and freely available. Of course, this is not a replacement for the good old password, as it is associated with TOTP provided by the smartphone (what I have) and the classic password (what I know) to create a strong form of two-factor authentication. The rate of smartphone ownership will continue to increase, but in the meantime there is no need to exclude those who do not possess one. It is enough to propose to send the user and SMS from the server that seeks authentication, this fulfills the role of “what I have" (my phone).

Everything is there and the only thing that remains is to push this technology to users.The ball is in the court of the community of security professionals as it is not the user’s business to know how to ensure their security: we must provide tools to make simple strong authentication and explain to users why this is important. More and more we are seeing the big Internet players putting this type of authentication in place. Some have very good approaches to empower and guide the user step by step in enabling this option, without the use of obscure technical language. Without a doubt, this will take some time but the quicker the better. The day when users come across a website offering only single password authentication and they say to themselves, "wow, I think I'll go to the competitor", this is when we can finally say that the fight has been won!

Note: Two factor authentication by SMS is already available for many OVH services, it’s deployed on all of the new customer control panels. All supported extension methods (static TOTP and OTP in particular)are scheduled to be available in the near future.